Discussion:
RBL's used
(too old to reply)
Craig Whitmore
2003-02-27 18:49:41 UTC
Permalink
As the amount of spam grows as the internet grows bigger, using RBL's is
growing as well (to try and stop/slow the spam).

I am wondering what RBL's other ISP's/Companies in NZ Use?

There are quite a number (of RBL's) but a few can't be used as they still
have Xtra's Network in them (for "Sueing ORBS" they say), but the best I've
found so far has been http://relays.osirusoft.com.

Can anyone suggest a better one/comments/pitfalls on using RBL's for slowing
down spam.

Thanks
Craig Whitmore
Orcon Internet
http://www.nzdsl.co.nz
Simon Lyall
2003-02-27 19:51:03 UTC
Permalink
Post by Craig Whitmore
There are quite a number (of RBL's) but a few can't be used as they still
have Xtra's Network in them (for "Sueing ORBS" they sa
Not main of the main ones say this.
Post by Craig Whitmore
y), but the best I've
found so far has been http://relays.osirusoft.com.
Watch the false +ives on this one. You'll get a reasonble number.
Post by Craig Whitmore
Can anyone suggest a better one/comments/pitfalls on using RBL's for slowing
down spam.
bl.spamcop.net , [kr|cn|ng|br].rbl.cluecentral.net

1. False positives
2. Timeouts when the RBL dies or gets DOSed
3. False positives
--
Simon Lyall. | Newsmaster | Work: ***@ihug.co.nz
Senior Network/System Admin | Postmaster | Home: ***@darkmere.gen.nz
Ihug Ltd, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz
Des Berryman
2003-02-27 20:15:17 UTC
Permalink
----- Original Message -----
From: "Simon Lyall" <***@ihug.co.nz>
To: "Craig Whitmore" <***@orcon.net.nz>
Cc: "NZNOG" <***@list.waikato.ac.nz>
Sent: Friday, February 28, 2003 8:51 AM
Subject: Re: [nznog] RBL's used
Post by Simon Lyall
Post by Craig Whitmore
There are quite a number (of RBL's) but a few can't be used as they still
have Xtra's Network in them (for "Sueing ORBS" they sa
Not main of the main ones say this.
Post by Craig Whitmore
y), but the best I've
found so far has been http://relays.osirusoft.com.
Watch the false +ives on this one. You'll get a reasonble number.
Post by Craig Whitmore
Can anyone suggest a better one/comments/pitfalls on using RBL's for slowing
down spam.
bl.spamcop.net , [kr|cn|ng|br].rbl.cluecentral.net
1. False positives
2. Timeouts when the RBL dies or gets DOSed
3. False positives
--
http://www.darkmere.gen.nz
Post by Simon Lyall
_______________________________________________
Nznog mailing list
http://list.waikato.ac.nz/mailman/listinfo/nznog
ordb.org - they only list servers that technically fail anti-relaying
measures.
They also test their lists occasionally and removal is prompt when issues
are resolved.
As yet, I can not say I've experienced a single failure with this crowd.
Regarding those RBL's that list Xtra, orbs.dorkslayers.com could hardly
termed as useful in any sense (see NANAE) and use of xbl.selwerd.cx seems to
be very localised to it's own region.

Des Berryman
Xtra Abuse and Security Team
Xtra Limited
Juha Saarinen
2003-02-27 20:10:57 UTC
Permalink
Post by Des Berryman
ordb.org - they only list servers that technically fail anti-relaying
measures.
Does it also cover open proxies? In my limited experience, that's where the
majority of spam comes from today.

relays.osirusoft.com lists proxies as well, there's of course the
monkeys.org lists as well.

As for TMDA, how useful is it for stopping dictionary attacks, and spammers
just ignoring any 550 and blasting away at your mail server(s)? If TMDA
sends out a confirmation request each time, it could easily become part of
the problem, and not the solution.

--
Juha
Dean Pemberton
2003-02-27 20:36:05 UTC
Permalink
Post by Juha Saarinen
As for TMDA, how useful is it for stopping dictionary attacks, and spammers
just ignoring any 550 and blasting away at your mail server(s)? If TMDA
sends out a confirmation request each time, it could easily become part of
the problem, and not the solution.
Sure, which was my postmasters point as mentioned previously.

Spam Assassin solved that.


Dean
Simon Byrnand
2003-02-27 22:06:34 UTC
Permalink
Post by Gordon Smith
I agree with Juha.
We are seeing more and more spam hitting the mail servers that is being
relayed via open socks proxies.
At this rate, I think its just going to be a matter of time before we're
forced to block inbound connections on proxy ports.
I've had good results with the Osirusoft RBL's - Joe combines the more
commonly used ones. Be aware that you may need to whitelist some regions
- keep any eye on your rejections.
While relays.osirusoft.com certainly catches a lot of spam, my own stats
suggest that a combination of both relays.osirusoft.com and ordb.org still
miss around 40% of spam, and osirusoft.com gives an unacceptable number of
false positives that need to be manually worked around.

The days of straight RBL based connection rejection for spam filtering are
over IMHO, spammers are just too clever now and have too many different
methods of attack. IP based RBL blacklists (used in isolation) are a bit
like using a sledgehammer to crack a nut - sure it will crack the nut, but
you might flatten your thumb in the process, or not end up with anything
edible :)

Definately the next generation of spam filtering is a multipronged approach
like Spamassassin, which is starting to achieve quite impressive results...
Post by Gordon Smith
Spamcop seems to be fairly conservative in its listings. I'd disagree
with Mike Beattie's comments - the rant on the link posted is just that,
a misguided rant. I'm sure we're all aware of the additional workload
created by UCE. Unfortunately, it would seem that at least one ISP (that
of Mr. Felton) failed to perform due diligence.
I personally don't think much of spamcop after having been falsely listed
by them a couple of times, but at least its easy to get unlisted again if
you're not guilty.....

Regards,
Simon
Juha Saarinen
2003-02-27 22:15:45 UTC
Permalink
Post by Simon Byrnand
The days of straight RBL based connection rejection for spam
filtering are over IMHO, spammers are just too clever now and have
too many different methods of attack.
I think that was part of the rationale for SPEWS. They know it's impossible
to react quickly enough to stop the spam flooding from relays and proxies,
so they block the spam sources instead, with a fair bit of collateral damage
(that's the nuts ;-)) so that the ISP takes notice.

Lots of people disagree with SPEWS, but it does seem to work to some extent.

--
Juha
Mike Beattie
2003-02-27 20:23:32 UTC
Permalink
Post by Simon Lyall
Post by Craig Whitmore
Can anyone suggest a better one/comments/pitfalls on using RBL's for slowing
down spam.
bl.spamcop.net , [kr|cn|ng|br].rbl.cluecentral.net
1. False positives
2. Timeouts when the RBL dies or gets DOSed
3. False positives
4. Nazi's behind the service

http://boingboing.net/2002_08_01_archive.html#85361424

(big page, let it load)

Mike.
--
Mike Beattie <***@ethernal.org> ZL4TXK, IRLP Node 6184

"In the beginning the Universe was created. This has made a lot of people
very angry and been widely regarded as a bad move." - Douglas Adams
Dean Pemberton
2003-02-27 20:04:46 UTC
Permalink
It's a little off topic, and not really suitable for deployment on an isp
central mail server, but..

I think I've 100% solved my personal spam problem. I 0wn it, it is my b***h =)

Tune out now if you don't care, read on if you want to know how.

I've been using TMDA for about a year now, and I recently added Spam
Assassin to that.

The first piece of spam that made it through this system arrived today.
Thats out of about 4000 bits of spam. The only reason that made it through
was that the spammer actually replied to the confirmation email that TMDA
sends back (I'll get him later).

TMDA works like a treat. You have to make the decision that you're willing
to inconvienience people who mail you the first time (with a confirmation
process). Out of the 294 people on my whitelist I've only had two complain.
And both of them thought it was a better idea after I phoned/had beer with
them. I worry that some people will not respond nor complain, but a quick
check of unconfirmed messages shows me that this is not the case. Even my
grandmother managed to work it out.
This will not be appropriate for you work email account however.
Telling customers to prove who they are is never good. I also have email
aliases which mypass some or all of my spam system. eg if I know someone is
going to hate being annoyed then they might get ***@deanpemberton.com which
has no checking on it.

The downside to TMDA is that it tries to send a confirmation email for each
suspect email that it receives. The postmaster for the box where I have
this set up had a bit of a whinge that this was causing too much postmaster
mail (because most of them will die because they are sent to bogus spam
addresses). His solution to this was to front end the system with Spam
Assassin.

I was pretty dubious at first. The reason I had gone with TMDA was that I
never wanted to miss a real message. I didn't think that packages like SA
did a very good job.

I'm happy to say that I've been proved 100% wrong. SA sits at the front and
looks at the messages - if it thinks it's spam then it tags it with why and
places it in my Spam folder (which I think I'd check once a day when I'm
bored). I think it has tagged real mail as spam once and that was because
a friend forwarded me some spam.

If the message makes it through SA, and about 10% of spam does, then TMDA
gets it and sends off a confirmation email if the address is not in it's
whitelist.


This is so effective that as I say only one piece of spam in the last 4000
has made it to my inbox. And that needed to a) not look like spam to SA,
and b) have the spammer give his real address and then take the time to
reply to a confirmation message from me. Quite rare eh.

SA is doing such a good job that I've started to apply some statistical
modeling to how it ranks my spam. It fits a weibul distribution almost
perfectly and I plan to use this to tune the parameters so that I can prove
that it's catching the maximum amount of spam while minimising the risk of
it tagging real mail. The graphs look pretty =)


So this double approach really works for me.

If you want to know anything else then just mail me offline.
If you want to see it in action (TMDA that is) then mail me offline =)

Here are some links


http://tmda.net/
http://spamassassin.org/


Later


Dean
Post by Craig Whitmore
As the amount of spam grows as the internet grows bigger, using RBL's is
growing as well (to try and stop/slow the spam).
I am wondering what RBL's other ISP's/Companies in NZ Use?
There are quite a number (of RBL's) but a few can't be used as they still
have Xtra's Network in them (for "Sueing ORBS" they say), but the best I've
found so far has been http://relays.osirusoft.com.
Can anyone suggest a better one/comments/pitfalls on using RBL's for slowing
down spam.
Thanks
Craig Whitmore
Orcon Internet
http://www.nzdsl.co.nz
_______________________________________________
Nznog mailing list
http://list.waikato.ac.nz/mailman/listinfo/nznog
Nathan Ward
2003-02-27 20:26:42 UTC
Permalink
My personal approach is this:

*@daork.net by default goes to me.
I sign up for something, say CCO, with ***@daork.net.
If someone spams me with that address, I then can go and retaliate
against the organisation who sold my 'E-Mail address', dependant on how
motivated/bored I feel, and that address then goes to /dev/null.

Same goes for mailing lists. I sub to nznog with say ***@daork.net, it
gets spammed, deleted and resubbed as ***@daork.net.

Or when I give my E-Mail address out to people, I say they must use
<thiername>@daork.net, so if they CC me in the hope that it will give
the small goat in western Alaska new horns, and I get spammed to that
address, I can delete it too (after notifying the person of course).

This way I know who sold/leaked my address, I don't let the spammer know
that there is someone listening on the other end, and if say, a big
corporation were to spam me after saying in some privacy statement that
they won't, I can apply lawyer technology and get some free $. Maybe.


At work I have just one E-Mail address which get spammed all the time,
though this could work just as well there with nward-*@esphion.com.
Which is something I really should get around to doing.

Nathan Ward
Post by Dean Pemberton
It's a little off topic, and not really suitable for deployment on an isp
central mail server, but..
I think I've 100% solved my personal spam problem. I 0wn it, it is my b***h =)
Tune out now if you don't care, read on if you want to know how.
I've been using TMDA for about a year now, and I recently added Spam
Assassin to that.
The first piece of spam that made it through this system arrived today.
Thats out of about 4000 bits of spam. The only reason that made it through
was that the spammer actually replied to the confirmation email that TMDA
sends back (I'll get him later).
TMDA works like a treat. You have to make the decision that you're willing
to inconvienience people who mail you the first time (with a confirmation
process). Out of the 294 people on my whitelist I've only had two complain.
And both of them thought it was a better idea after I phoned/had beer with
them. I worry that some people will not respond nor complain, but a quick
check of unconfirmed messages shows me that this is not the case. Even my
grandmother managed to work it out.
This will not be appropriate for you work email account however.
Telling customers to prove who they are is never good. I also have email
aliases which mypass some or all of my spam system. eg if I know someone is
has no checking on it.
The downside to TMDA is that it tries to send a confirmation email for each
suspect email that it receives. The postmaster for the box where I have
this set up had a bit of a whinge that this was causing too much postmaster
mail (because most of them will die because they are sent to bogus spam
addresses). His solution to this was to front end the system with Spam
Assassin.
I was pretty dubious at first. The reason I had gone with TMDA was that I
never wanted to miss a real message. I didn't think that packages like SA
did a very good job.
I'm happy to say that I've been proved 100% wrong. SA sits at the front and
looks at the messages - if it thinks it's spam then it tags it with why and
places it in my Spam folder (which I think I'd check once a day when I'm
bored). I think it has tagged real mail as spam once and that was because
a friend forwarded me some spam.
If the message makes it through SA, and about 10% of spam does, then TMDA
gets it and sends off a confirmation email if the address is not in it's
whitelist.
This is so effective that as I say only one piece of spam in the last 4000
has made it to my inbox. And that needed to a) not look like spam to SA,
and b) have the spammer give his real address and then take the time to
reply to a confirmation message from me. Quite rare eh.
SA is doing such a good job that I've started to apply some statistical
modeling to how it ranks my spam. It fits a weibul distribution almost
perfectly and I plan to use this to tune the parameters so that I can prove
that it's catching the maximum amount of spam while minimising the risk of
it tagging real mail. The graphs look pretty =)
So this double approach really works for me.
If you want to know anything else then just mail me offline.
If you want to see it in action (TMDA that is) then mail me offline =)
Here are some links
http://tmda.net/
http://spamassassin.org/
Later
Dean
Post by Craig Whitmore
As the amount of spam grows as the internet grows bigger, using RBL's is
growing as well (to try and stop/slow the spam).
I am wondering what RBL's other ISP's/Companies in NZ Use?
There are quite a number (of RBL's) but a few can't be used as they still
have Xtra's Network in them (for "Sueing ORBS" they say), but the best I've
found so far has been http://relays.osirusoft.com.
Can anyone suggest a better one/comments/pitfalls on using RBL's for slowing
down spam.
Thanks
Craig Whitmore
Orcon Internet
http://www.nzdsl.co.nz
_______________________________________________
Nznog mailing list
http://list.waikato.ac.nz/mailman/listinfo/nznog
_______________________________________________
Nznog mailing list
http://list.waikato.ac.nz/mailman/listinfo/nznog
zcat
2003-02-27 21:20:50 UTC
Permalink
Post by Dean Pemberton
I've been using TMDA for about a year now, and I recently added Spam
Assassin to that.
I've taken a slightly similar approach; I use spamassassin but anything
which 'might' be spam (5.0-10.0) gets an autoreply suggesting that if it's
genuine mail it needs to be made less spam-like.

Replies to actual spam almost always bounce. 419 spams generally score
15-20 and don't get replied to.

I still get one or two spams per week that score less than 5.0, but I can
live with that. I'm not aiming for 100%, I just want little enough spam
that I can still find my real mail :)

The script and .procmail is at http://www.wlug.org.nz/AreYouSpam if you
want to use it or suggest improvements.
Mark Foster
2003-02-27 20:54:01 UTC
Permalink
Be warned, I might call you on that tonight. :-) Ive got no idea what our
local node number is though..

In terms of spam, ive adopted essentially the same policy as Nathan Ward
pointed out, which has been useful so far - except for the completely
noncooperative nature of the one network I can positively identify as
having sold an address on my domain in their spamlist...

So the second part of my personal system is to actively do the following:

1) Watch my web server logs for crawlers from 'dodgy' networks. (read:
*.cn, *.kr, *.br etc)
2) Firewall said networks from my MTA/Webserver (same box) entirely
3) Look up individual spam source IPs with whois, send abuse complaints in
the first instance..
4) Block spamming MTA (smtp only) in the second instance.
5) skip step 3 where source IP is *.cn. *.kr, *.br, or where spam type is
persistant.

The amount of spam ive dealt with of late has dropped significantly as a
result of the above. Essentially what ive done is built my own RBL,
because at least this way im personally responsible for what gets blocked
and what is permitted, and not at the whim of some 3rd party block list...

And personally while I see TMDA as quite effective, I also see it as a
serious inconvenience.

Mark.
Gordon Smith
2003-02-27 21:23:51 UTC
Permalink
I agree with Juha.

We are seeing more and more spam hitting the mail servers that is being
relayed via open socks proxies.
At this rate, I think its just going to be a matter of time before we're
forced to block inbound connections on proxy ports.

I've had good results with the Osirusoft RBL's - Joe combines the more
commonly used ones. Be aware that you may need to whitelist some regions
- keep any eye on your rejections.
Spamcop seems to be fairly conservative in its listings. I'd disagree
with Mike Beattie's comments - the rant on the link posted is just that,
a misguided rant. I'm sure we're all aware of the additional workload
created by UCE. Unfortunately, it would seem that at least one ISP (that
of Mr. Felton) failed to perform due diligence.


Gordon
Nathan Ward
2003-02-27 21:42:00 UTC
Permalink
Block open connections on proxy ports?
So john spammer connects to an open socks server and gets a connection
to your (or another) mail server.
This connection looks like socksserver:<port> -> smtpserver:25. where
<port> is a not-used port on the socks server..
Blocking that port doesn't work too well.

Blocking connections to proxies inside your/customers networks on the
other hand is different, but unless everyone in the world goes and does
this, the effect is limited, it just means spam wont 'originate' from
inside your network. As long as their is one open proxy server in the
world, you will still get spam in this way.

Or do you mean use a relays.osirusoft.com type system to block mail from
known open proxies?
This would have more effect on inbound spam than the method in my second
paragraph.

Nathan Ward
Post by Gordon Smith
I agree with Juha.
We are seeing more and more spam hitting the mail servers that is being
relayed via open socks proxies.
At this rate, I think its just going to be a matter of time before we're
forced to block inbound connections on proxy ports.
I've had good results with the Osirusoft RBL's - Joe combines the more
commonly used ones. Be aware that you may need to whitelist some regions
- keep any eye on your rejections.
Spamcop seems to be fairly conservative in its listings. I'd disagree
with Mike Beattie's comments - the rant on the link posted is just that,
a misguided rant. I'm sure we're all aware of the additional workload
created by UCE. Unfortunately, it would seem that at least one ISP (that
of Mr. Felton) failed to perform due diligence.
Gordon
_______________________________________________
Nznog mailing list
http://list.waikato.ac.nz/mailman/listinfo/nznog
Don Stokes
2003-02-27 21:48:47 UTC
Permalink
Further to this, is anyone using SpamAssassin for large-ish scale
filtering? With RBLs or without? Or anything else?

-- don
Post by Craig Whitmore
As the amount of spam grows as the internet grows bigger, using RBL's is
growing as well (to try and stop/slow the spam).
I am wondering what RBL's other ISP's/Companies in NZ Use?
There are quite a number (of RBL's) but a few can't be used as they still
have Xtra's Network in them (for "Sueing ORBS" they say), but the best I've
found so far has been http://relays.osirusoft.com.
Can anyone suggest a better one/comments/pitfalls on using RBL's for slowing
down spam.
Thanks
Craig Whitmore
Orcon Internet
http://www.nzdsl.co.nz
_______________________________________________
Nznog mailing list
http://list.waikato.ac.nz/mailman/listinfo/nznog
Dean Pemberton
2003-02-27 21:51:50 UTC
Permalink
Juniper does. tags subject lines with ****SPAM**** and then delivers.

Seems to work really well.


Dean
Post by Don Stokes
Further to this, is anyone using SpamAssassin for large-ish scale
filtering? With RBLs or without? Or anything else?
-- don
Post by Craig Whitmore
As the amount of spam grows as the internet grows bigger, using RBL's is
growing as well (to try and stop/slow the spam).
I am wondering what RBL's other ISP's/Companies in NZ Use?
There are quite a number (of RBL's) but a few can't be used as they still
have Xtra's Network in them (for "Sueing ORBS" they say), but the best I've
found so far has been http://relays.osirusoft.com.
Can anyone suggest a better one/comments/pitfalls on using RBL's for slowing
down spam.
Thanks
Craig Whitmore
Orcon Internet
http://www.nzdsl.co.nz
_______________________________________________
Nznog mailing list
http://list.waikato.ac.nz/mailman/listinfo/nznog
_______________________________________________
Nznog mailing list
http://list.waikato.ac.nz/mailman/listinfo/nznog
James Tyson
2003-02-27 21:54:33 UTC
Permalink
A lot of lists do, for example everything at lists.debian.org goes
through SpamAssasin.
Post by Dean Pemberton
Juniper does. tags subject lines with ****SPAM**** and then delivers.
Seems to work really well.
Dean
Post by Don Stokes
Further to this, is anyone using SpamAssassin for large-ish scale
filtering? With RBLs or without? Or anything else?
-- don
Post by Craig Whitmore
As the amount of spam grows as the internet grows bigger, using RBL's is
growing as well (to try and stop/slow the spam).
I am wondering what RBL's other ISP's/Companies in NZ Use?
There are quite a number (of RBL's) but a few can't be used as they still
have Xtra's Network in them (for "Sueing ORBS" they say), but the best I've
found so far has been http://relays.osirusoft.com.
Can anyone suggest a better one/comments/pitfalls on using RBL's for slowing
down spam.
Thanks
Craig Whitmore
Orcon Internet
http://www.nzdsl.co.nz
_______________________________________________
Nznog mailing list
http://list.waikato.ac.nz/mailman/listinfo/nznog
_______________________________________________
Nznog mailing list
http://list.waikato.ac.nz/mailman/listinfo/nznog
_______________________________________________
Nznog mailing list
http://list.waikato.ac.nz/mailman/listinfo/nznog
--
James Tyson <***@samizdat.co.nz>
Gordon Smith
2003-02-27 22:01:36 UTC
Permalink
It is possible to set SpamAssassin up so that users can control their
own spam filters.
This does require a reasonable amount of coding to get it to work.

I believe that Steve Phillips was working on something like this a while
ago.
Getting something like that working in conjunction with RBL queries on a
per-user level would be great for allowing the customers more control
over their mailbox.

There is also another approach to bulk mail - DCC - which uses checksums
to identify UCE. As to how effective it is though, I have no idea....
Craig Whitmore
2003-02-27 22:14:50 UTC
Permalink
We have tested mimedefang, a milter filter for sendmail (which has
DCC/Razor/Spamassassin/Anti Virus plugins etc) and it works really well
finding most Spam (TAG's info in the header). Scales very well for usage.
Alot more customiseable/less load than alot of commercial packages out there
at the moment and all open source software.

Thanks
Craig

----- Original Message -----
From: "Gordon Smith" <***@morenet.net.nz>
To: "'NZNOG'" <***@list.waikato.ac.nz>
Sent: Friday, February 28, 2003 11:01 AM
Subject: RE: [nznog] RBL's used
Post by Gordon Smith
It is possible to set SpamAssassin up so that users can control their
own spam filters.
This does require a reasonable amount of coding to get it to work.
I believe that Steve Phillips was working on something like this a while
ago.
Getting something like that working in conjunction with RBL queries on a
per-user level would be great for allowing the customers more control
over their mailbox.
Dean Pemberton
2003-02-27 22:19:25 UTC
Permalink
What do people think of Razor?

I've had times when it's just a pain in the arse (blank messages get tagged,
as to messages with a single 'test' in them).

It adds to network traffic if you have alot of email too. I'm looking at my
spam and seeing if SA would have caught the spam anyway. If thats the case
then Razor is pretty useless.

Nice idea though

Dean
Post by Craig Whitmore
We have tested mimedefang, a milter filter for sendmail (which has
DCC/Razor/Spamassassin/Anti Virus plugins etc) and it works really well
finding most Spam (TAG's info in the header). Scales very well for usage.
Alot more customiseable/less load than alot of commercial packages out there
at the moment and all open source software.
Thanks
Craig
----- Original Message -----
Sent: Friday, February 28, 2003 11:01 AM
Subject: RE: [nznog] RBL's used
Post by Gordon Smith
It is possible to set SpamAssassin up so that users can control their
own spam filters.
This does require a reasonable amount of coding to get it to work.
I believe that Steve Phillips was working on something like this a while
ago.
Getting something like that working in conjunction with RBL queries on a
per-user level would be great for allowing the customers more control
over their mailbox.
_______________________________________________
Nznog mailing list
http://list.waikato.ac.nz/mailman/listinfo/nznog
Simon Byrnand
2003-02-28 00:16:36 UTC
Permalink
Post by Dean Pemberton
What do people think of Razor?
I've had times when it's just a pain in the arse (blank messages get tagged,
as to messages with a single 'test' in them).
It adds to network traffic if you have alot of email too. I'm looking at my
spam and seeing if SA would have caught the spam anyway. If thats the case
then Razor is pretty useless.
Nice idea though
Yeah, nice idea, but it doesn't seem to work as well as it could. The extra
latency doing the network checks can be a problem, and I noticed an
unacceptable number of false positives, even with the "confidence level" in
razor2 set to 100%.

A bit of discussion on the SA mailing list suggests that the problem is a
combination of people overzelously reporting non-spam as spam (or using
auto-reporters) and bugs in the code that would falsely match messages it
shouldn't. Definately not reliable enough for any kind of sitewide system.

Regards,
Simon
Russell Fulton
2003-02-27 22:27:06 UTC
Permalink
Post by Gordon Smith
It is possible to set SpamAssassin up so that users can control their
own spam filters.
This does require a reasonable amount of coding to get it to work.
I believe that Steve Phillips was working on something like this a while
ago.
Getting something like that working in conjunction with RBL queries on a
per-user level would be great for allowing the customers more control
over their mailbox.
This isn't really feasible since the whole point of the RBL is that you
dump the session before it sends anything so you don't know who its for.
--
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand

"It aint necessarily so" - Gershwin
Michael Newbery
2003-02-28 03:15:29 UTC
Permalink
Post by Russell Fulton
This isn't really feasible since the whole point of the RBL is that
you dump the session before it sends anything so you don't know who
its for.
I *think* barfing (5xx) when you get a connection or on "MAIL FROM"
strictly speaking isn't allowed in the RFC (I've not check rfc2821 so
this may have changed since '821).
Simon Byrnand
2003-02-27 22:31:43 UTC
Permalink
Post by Russell Fulton
Post by Gordon Smith
It is possible to set SpamAssassin up so that users can control their
own spam filters.
This does require a reasonable amount of coding to get it to work.
I believe that Steve Phillips was working on something like this a while
ago.
Getting something like that working in conjunction with RBL queries on a
per-user level would be great for allowing the customers more control
over their mailbox.
This isn't really feasible since the whole point of the RBL is that you
dump the session before it sends anything so you don't know who its for.
And thats one of the big problems with plain RBL checks.

I suspect whats being refered to here, is the fact that Spamassassin
queries several RBL lists as part of its testing. However rather than a
match causing the mail session to be rejected before you even know who a
message is from or to, matches in various RBL lists add "points" to the
spam score towards indicating the message is spam. With enough
corroboration the message is regarded as spam.

The RBL checks in Spamassassin are a useful part of the set of tests it
performs, and like all other spamassassin rules, can be per-user customized.

Regards,
Simon
Gordon Smith
2003-02-27 22:25:31 UTC
Permalink
Sorry, guess I wasn't clear on blocking open proxies.

I was meaning that if the current trend of abusing open proxies
continues, we'll end up denying any inbound traffic destined for
customers on proxy ports.
Those that don't will end up blocklisted as more and more people bounce
spam off their customers.
We've already started denying port 25 connections from DSL netblocks in
parts of the U.S.
We're returning a 553 with a message to relay through their ISP. It
helps, but I don't think its an ideal solution.

The lack of any form of redress against spammers doesn't help the issue
either.
Unfortunately, we end up carrying the traffic costs.

Joe Jared's lists at relays.osirusoft.com do contain open proxies, but
these aren't actively maintained. Once listed, the user must request
re-testing before the block is removed. Re-tests are not automatic. The
biggest problem, especially with DSL, is those users on dynamic
addresses and running open proxies. In that case, the only solution is
to block the entire range.

Given the wide range of client software used, I don't think there's any
easy answer to this issue. If the SMTP protocol is re-written to enhance
security and accountability for traffic, the negative effects on legacy
systems would be huge. Attacking the problem at the client end would
pose similar problems.

Spamassassin still looks to be one of the best options at this stage.


Gordon
Simon Lyall
2003-02-27 23:44:18 UTC
Permalink
Post by Russell Fulton
Post by Gordon Smith
It is possible to set SpamAssassin up so that users can control their
own spam filters.
This does require a reasonable amount of coding to get it to work.
I believe that Steve Phillips was working on something like this a while
ago.
Getting something like that working in conjunction with RBL queries on a
per-user level would be great for allowing the customers more control
over their mailbox.
This isn't really feasible since the whole point of the RBL is that you
dump the session before it sends anything so you don't know who its for.
Funny I could have sworn that is what ihug's been doing for the last year
or so. Of course it means you accept the message and don't save the
bandwidth (as such) but the bandwidth overhead for spam isn't huge.

Spamassassin has RBLs (plus DCC, Razor, Bayes and other buzzwords) built
in so you can use it to tag/block according to them on a per-user basis.

I was thinking about doing a talk about this at nznog this year if enough
peoiple are interested.
--
Simon Lyall. | Newsmaster | Work: ***@ihug.co.nz
Senior Network/System Admin | Postmaster | Home: ***@darkmere.gen.nz
Ihug Ltd, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz
Dean Pemberton
2003-02-28 00:24:43 UTC
Permalink
Post by Simon Lyall
I was thinking about doing a talk about this at nznog this year if enough
peoiple are interested.
Yeah so was I. Or something similar
Roger are there any more spare slots for speakers?


Dean
Juha Saarinen
1970-01-01 00:00:00 UTC
Permalink
Post by Simon Lyall
I was thinking about doing a talk about this at nznog this year if
enough peoiple are interested.
Yip yip! I'd come and egg you ... on I mean. Especially if you were to
include a section on defensive strategies against large dictionary attacks
and similar abuses.
--
Juha Saarinen
Hamish MacEwan
2003-03-01 00:30:47 UTC
Permalink
Hi,

A bit of a "me too" post in that I use the ***@domain mechanism,
and have recently been given the benefit of SpamAssassin both at work
and on my personal mail, but I haven't seen anyone mention the
disposable email address services like sneakemail.com.

Despite the execrable name and user interface, it's useful if you don't
have control of your own domain and mail-server. They have finally
introduced "instant" address generation, so you can give out addresses
off-line... there are other services, vive le difference.

But I agree with the poster who said the RBLs are on their way out, they
are too crude a tool and an estimate of the false positives they
blocked, IIRC, was about 11%.

When I read the horror stories here about how the Net is being strangled
in order to choke spam, it's scary. Bob Frankston comments:

"I'm afraid of the spam hunters. They are trying to find all those bad
people and get rid of them. It seems obvious that there is something
called Spam and we must get rid of it. Having a simple term, even if
it's still a trademark for Hormel's Deviled Ham, has misframed the
problems."

http://satn.org/archive/2003_02_02_archive.html#90265861

What you are seeing in all the growingly successful approaches is edge
and collaborative filtering, after all, what may be spam to you is
hugely amusing to me. I have a collection of that which you call 419.
They are hilarious. One man's ceiling is another man's floor and all
that.

I think by having a user configurable edge, doctors and legislators can
email about "sex" without having to resort to neologisms like "secks."

And, with a good user interface, most users (I read even Dean's
grandmother, you agist pig! :) can control what they receive.

It's one of my favourite RFC quotes:

"In contrast with paper-based communication, it is interesting to note
that the RECEIVER of a message can exercise an extraordinary
amount of control over the message's appearance. The amount of
actual control available to message receivers is contingent upon the
capabilities of their individual message systems."

-- RFC822

In the case of spam, it's literally the appearance of the email in the
users mail box.

Spam is another problem that wasn't going to be fixed in some
heavyweight core, but at the edge, where the individual receiver has a
right to their own opinion about what constitutes... spam, porn, et al
and needs only to be provided with better "capabilities of their
individual message systems."


Hamish.
--
He who fights with monsters might take care lest he thereby
become a monster. And if you gaze for long into an abyss,
the abyss gazes also into you.
-- Friedrich Nietzsche
Continue reading on narkive:
Loading...